{"id":864,"date":"2017-05-08T13:56:27","date_gmt":"2017-05-08T13:56:27","guid":{"rendered":"https:\/\/www.automationninjas.com\/email-marketing-armageddon-the-general-data-protection-regulation\/"},"modified":"2024-04-25T15:00:42","modified_gmt":"2024-04-25T14:00:42","slug":"email-marketing-armageddon-the-general-data-protection-regulation","status":"publish","type":"post","link":"https:\/\/www.automationninjas.com\/blog\/email-marketing-armageddon-the-general-data-protection-regulation\/","title":{"rendered":"Email Marketing Armageddon: The General Data Protection Regulation"},"content":{"rendered":"
<\/a><\/p>\n AUTHOR: Kenda Macdonald<\/span><\/span><\/p>\n As a dedicated consultant, I specialise in elevating businesses through top-tier consultancy, fueled by a deep understanding of buyer psychology cultivated over years of experience. My expertise lies in crafting marketing and sales strategies that propel businesses to new heights by leveraging insights into the buyer brain. As a bestselling author, public speaker, and strategist, my passion for decoding human behavior drives me to innovate and deliver unparalleled results. I’ve designed a methodology adaptable for all types of businesses, ensuring transformative customer journeys and experiences.<\/p>\n __CONFIG_colors_palette__{“active_palette”:0,”config”:{“colors”:{“5506e”:{“name”:”Main Accent”,”parent”:-1}},”gradients”:[]},”palettes”:[{“name”:”Default Palette”,”value”:{“colors”:{“5506e”:{“val”:”var(–tcb-color-3)”}},”gradients”:[]},”original”:{“colors”:{“5506e”:{“val”:”rgb(19, 114, 211)”,”hsl”:{“h”:210,”s”:0.83,”l”:0.45,”a”:1}}},”gradients”:[]}}]}__CONFIG_colors_palette__ <\/span> CONNECT WITH ME ON LINKEDIN<\/span><\/span> <\/a> <\/p>\n GDPR is the General Data Protection Regulation (GDPR). It came into effect on May 25th, 2018 and is a set of regulations set out to give individuals greater control of their personal data that is held by third parties. It’s general<\/strong><\/em>, which means that it applies to all companies, no matter what industry they serve. And it has the ability to drastically change your marketing. If you do not comply with the guidelines you won’t be able to email ANYONE<\/span> in the United Kingdom or the European Union.<\/p>\n The General Data Protection Regulation is the new set of laws that governs both how you communicate, interact with and store prospect and customer data<\/span> for any of the 750 MILLION people and 1 BILLION email accounts that are associated with European member states.<\/p>\n Or email marketing armageddon.<\/span><\/p>\n <\/span><\/p>\n Or is it? What has everyone got so fussed about?<\/span><\/p>\n The deadline has been and gone, but still many people aren’t taking GDPR seriously. Should they be? <\/p>\n Related content:<\/p>\n Currently, the way you communicate with people in America via email is governed by CANSPAM, in Canada by CASL, and in the European Union, by the Directive on Privacy and Electronic Communication (also known as the EU E-Privacy Directive). Catchy title guys!<\/span><\/p>\n That’s going to be changing.<\/span> As of 25 May 2018, The General Data Protection Regulation (GDPR) will came into force, replacing the EU E-Privacy Directive.<\/span> And it’s bigger and scarier, with even harsher penalties than both CANSPAM and CASL combined<\/span><\/span>.<\/p>\n So why is the EU upsetting the apple cart when it’s been trundling along so nicely with the EU E-Privacy Directive?<\/p>\n Partly because it’s seriously outmoded security wise.<\/p>\n Mainly because the E-Privacy thing is a Directive. It outlines goals that each of the 28 EU member states (the UK included for the time being) should adhere to. Each of those states then interprets the Directive differently, and so the result is: Different email laws for each of the 28 EU member states.<\/p>\n That’s a nightmare to <\/span>manage <\/span>and adhere to.<\/span><\/p>\n GDPR is the answer to this mess. And as GDPR is a regulation, not a directive, it has binding legal force.<\/span><\/p>\n Here’s what the EU has to say:<\/p>\n The objective of this new set of rules is to give citizens back control over of their personal data, and to simplify the regulatory environment for business. The data protection reform is<\/span>a key enabler of the Digital Single Market which the Commission has prioritised. The reform will allow European citizens and businesses to fully benefit from the digital economy.<\/span>Everyone has the right to the protection of personal data.<\/span>Therefore, common EU rules have been established to ensure that your personal data enjoys a high standard of protection everywhere in the EU. You have the right to complain and obtain redress if your data is misused anywhere within the EU.1<\/a><\/span><\/p><\/blockquote>\n And it’s coming straight at you.<\/p>\n <\/span><\/p>\n So why is this so scary? I mean what’s the big deal?<\/p>\n The big change is on protecting the rights of individuals with relation to their personal data:<\/p>\n ” …everyone has the right to the protection of personal data concerning him or her”<\/em><\/p>\n This means new rights given with relation to the following:<\/p>\n The word you need to take home from all of the above is TRANSPARENCY.<\/span><\/p>\n The laws are affording people the right to know what you’re up to with their personal data.<\/p>\n Absolutely not. After all, this relates to you too.<\/span><\/p>\n So what’s the big deal then?<\/p>\n <\/span><\/p>\n Well it’s how personal data is defined<\/span>, and what you have to do in order to first obtain that information (at the point of opt-in), how you can store that information, what you’re allowed to do with it, and what penalties you face if you don’t take this seriously (hint, 20 Million Euros in fines…)<\/p>\n GDPR has a very strict definition of personal data:<\/p>\n Any information that could be used, on its own or in conjunction with other data, to identify an individual.<\/span><\/p><\/blockquote>\n This means that even a phone number stored on its own or a social media ID without an associated name or address may fall under the regulation and needs to be properly protected.<\/p>\n Then there comes the processing of data. Anything you do after you get someone to sign up is considered processing:<\/p>\n GDPR considers \u2018processing\u2019 as \u2018any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction<\/em>.<\/p><\/blockquote>\n And in order to do ANY <\/span>of that, you need unambiguous, or explicit permission to do so.<\/span> You need to tell your audience EXACTLY what you’re going to do with it.<\/p>\n Are you going to add them into a campaign which tracks which links they click on? Y<\/span>ou n<\/span>eed to tell them.<\/span> Adding tags to email opens? You need to tell them. <\/span>Tracking email opens? You need to tell them.<\/span> Offering certain products based on behaviour? You need to tell them.<\/span><\/p>\n So yeah. Everything you do.<\/span><\/p>\n Now no need to panic – this is the sort of information that you can *easily*<\/span> put in your terms and conditions. (there are sample terms and conditions that are GDPR compliant in the resources section at the bottom of this post)<\/p>\n <\/span><\/p>\n The importance is that you have to get them to AGREE to your terms and conditions, and you have to have PROOF that they have done so.<\/span><\/p>\n And this is where everyone loses their minds.<\/p>\n The confusion has arisen from “unambiguous<\/span>” and “explicit<\/span>” consent or permission mentioned in the official regulation documentation.<\/p>\n It mentions that you have to have unambiguous permission for contact and processing purposes, and then later on that you have to have explicit consent.<\/p>\n Each of these is very different and mean very different things in the marketing world.<\/span><\/p>\n For example – explicit consent means double opting-in in the email marketing industry. And due to this terminology blip, there are a bunch of myths floating around.<\/p>\n Thankfully there has been some clarification on the matter:<\/p>\n \u201cOn the final outstanding issues that were discussed in<\/span><\/em>trilogue<\/span>, the following balance was achieved. The way in which consent is to be given by data subjects remains \u201cunambiguous\u201d for all processing of personal data, with the clarification that this requires a \u201cclear affirmative action\u201d, and that consent has to be \u201cexplicit\u201d for sensitive data.\u201d<\/span><\/p><\/blockquote>\n There you have it! The difference is in the TYPE of data.<\/span><\/p>\n If you are handling sensitive data, you need explicit consent to process that data (remember processing being anything really). If you are handling personal data you need unambiguous consent.<\/span><\/p>\n What does that even mean! The legalese is strong in this case, and I feel it’s going to trip up many many people. To help I found a great article from Field Fisher, Privacy, Security and Information Law Specialists:<\/p>\n “If someone says \u201cYes, I agree\u201d or ticks an unchecked box to say \u201cI consent\u201d, they have indicated their consent through an affirmative action. Not only that, but they have done so through an explicit affirmative action – sufficient to satisfy the consent requirements for both ordinary personal data AND sensitive personal data processing.”<\/em>2<\/a><\/p><\/blockquote>\n GDPR clarifies that an affirmative action<\/em>signalling<\/em>consent may include checking a box on a website, \u2018choosing technical settings for information society services,\u2019 or \u2018another statement or conduct\u2019 that clearly indicates consent to the processing. \u2018Silence, pre-ticked boxes, or inactivity,\u2019 however, is not adequate.<\/span>\u2013 James Koons<\/span><\/em><\/p><\/blockquote>\n The GDPR demands that the recipient is provided with adequate information on how their data will be used. For example, if you intend to profile someone\u2019s data to determine what offers they receive, you must now tell your customer that is how you intend to use the data and give them the opportunity to object.\u2013 Tim Roe<\/span><\/em><\/p><\/blockquote>\n So there we go. You DON’T have to double-opt all your contacts in, but you DO HAVE to get them to agree to your terms and <\/span>conditions<\/span>, and be clear and transparent in those conditions, in easy to read information, as to what you will be doing with personal and sensitive information.<\/p>\n That is the biggest issue with the new regulations. Transparency and permission.<\/span><\/p>\n I really don’t think that’s a bad thing at all.<\/span><\/p>\n The bit that is really bothering me is this:<\/p>\n GDPR also applies to all existing data.<\/p>\n <\/span><\/p>\n Yeah. That’s the face I pulled too.<\/p>\n If you currently have EU subscribers with permissions that are not up to the GDPR standards, and you can’t provide proof of it – you will NOT BE ABLE TO LEGALLY EMAIL THEM.<\/span><\/p>\n Not after May 25 2018.<\/p>\n There is no allowance for data captured before GDPR. Once the GDPR comes into play, if you don\u2019t have sufficient consent, you won\u2019t be able to legally process the data. It\u2019s time to bring all of your customers\u2019 data and business processes up to the correct standard.<\/em><\/p>\n \u2013 Tim Roe<\/span>3<\/span><\/a><\/p>\n<\/blockquote>\n That’s the bit everyone should be worried about.<\/p>\n Then there is the next little bit:<\/p>\n Under the GDPR, the burden of proof that sufficient consent has been given lies with the company. This means that you will need to prove and show reasonable evidence that you have complied with the GDPR if you are challenged.\u2013 Tim Roe<\/em><\/p><\/blockquote>\n Storing consent forms is something that most data owners have never had to do before, but in the future, all forms will have to be presented if requested.\u2013 James Koons<\/em><\/p><\/blockquote>\n I suggest it would be sensible for marketers to include a screengrab of the page or app where the consent was obtained. That is something your platform is not likely supporting out of the box today.\u2013 Andrew Bonar4<\/a><\/em><\/p><\/blockquote>\n You need to prove that you have complied in case you are challenged. <\/span>I like Andrew Bonar’s suggestion.<\/p>\n If you’re using Infusionsoft\u00ae, when a contact fills out a <\/span>webform<\/span> this is tracked on the contacts record, along with what their opt-in status is.<\/span><\/p>\n The penalties are really quite harsh:<\/p>\n Non-compliance with GDPR can lead to fines of up to \u20ac20 Million or 4% of a brand\u2019s total global annual turnover (whichever is higher).<\/em>They will rely heavily on consumers to report breaches, and will likely focus their efforts on the most serious violations.<\/em>5<\/a><\/sup><\/p><\/blockquote>\n Ignoring this really isn’t an option.<\/span><\/span><\/p>\n<\/p>\n 4<\/a><\/sup><\/p>\n <\/span><\/p>\n Nope!<\/span><\/p>\n From the Cloud Lawyer:<\/p>\n The Secretary of State Karen Bradley MP recently confirmed that the UK Government will be opting<\/em>in to<\/em>the General Data Protection Regulation (see Q72) and the Information Commissioner has said \u201cI see this as good news for the UK\u2026The ICO is committed to assisting businesses and public bodies to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.\u201dThe Information Commissioner’s Office wants GDPR. In fact, it wants custodial sentences too for data breaches: https:\/\/ico.org.uk\/about-the-ico\/news-and-events\/news-and-blogs\/2016\/01\/information-commissioner-rep…6<\/a><\/span><\/em><\/p><\/blockquote>\n All in all pretty serious! No avoiding this!<\/p>\n You could just delete all your EU contacts before 25 May 2018…<\/p>\n <\/span><\/p>\n But that’s silly. The legislation affects 750 million EU citizens and over 1 Billion email accounts. <\/span>Don’t shoot yourself in the foot by locking yourself out of those markets.<\/p>\n Your only real option is to bring your list(s) up to scratch with the GDPR standards.<\/span><\/p>\n As Litmus states:If your program complies with GDPR, it\u2019s likely that you\u2019re compliant with other international email regulations as well.<\/em>7<\/a><\/sup><\/p>\n Here’s how we suggest you make sure you’re compliant:<\/p>\n -check boxes accepting terms and conditions on all forms (NOT pre-checked)<\/span>Add check boxes that a prospect has to accept your terms and conditions (with a link to those conditions) before the form can be submitted. This checks you for your unambiguous consent. However having the box pre-checked is in direct violation of the regulation! They have to tick the box themselves…<\/p>\n According to marketing tech news<\/a>, the following statements should cover you (I’d still speak to a lawyer though!):<\/p>\n I would like to receive future communications from COMPANY. Privacy Policy. Cookie Policy. Terms & Conditions.<\/em><\/p><\/blockquote>\n Sign me up for personalised emails from COMPANY. By signing up, I agree to company\u2019s Privacy & Cookie Policy, as well as their Terms and Conditions.<\/em><\/p><\/blockquote>\n I would like COMPANY to continue to send me relevant materials. You can withdraw your consent at any time.<\/em>8<\/a><\/p><\/blockquote>\n -clear terms and conditions, data protection and privacy policies, cookie policy and data retention policies<\/span>You’ll need to overhaul your policies. I’d suggest going to a specialist lawyer for this. The information that is included in your policies needs to be very transparent as to how you intend to use the collected data. And it needs to be ineasily understandable language. This relates back to your checkbox, and is what is giving you permission to process their data.<\/p>\n -confirmations\/double opt-ins<\/span>Make double opting-in your contacts a standard policy. No email confirmation no entry sort of thing<\/span>.This will check you for your explicit permission. And it doesn’t have to be the ugliest email someone has ever seen either. Personalise it, and make it a great user experience by customising your double opt-in emails<\/a>.<\/p>\n -define and document your processes<\/span>If you have clearly documented processes it makes it much easier to prove you are compliant. We advocate documenting every campaign anyway as a standard business procedure! Get in touch with an expert if you don’t know where to start (\ufeff\ufeff\ufeff\ufeffcontact \ufeff\ufeff\ufeffu\ufeff\ufeffs\ufeff\ufeff\ufeff)\ufeff\ufeff.<\/a>Don’t forget to include records of your opt-in boxes into this process.<\/p>\nWhat is GDPR?<\/h2>\n
\n
Getting into it, let’s talk about what GDPR actually means for you<\/h2>\n
ATTRACT LEADS WITH OUR PLAYBOOK<\/h3>\n
The result is one of the strictest regulations to ever come into force with some of the heaviest penalties ever seen.<\/h2>\n
What it means:<\/h2>\n
\n
\n
\n
\n
\n
Is GDPR a bad thing?<\/span><\/h2>\n
FIRST<\/em> – What is \u2018personal data\u2019?<\/h2>\n
You have to get ALL your EXISTING data up to the new standards<\/h2>\n
New requirements for consent record keeping<\/span><\/h2>\n
What if I don’t want to do any of that stuff?<\/h2>\n
What does BREXIT mean for GDPR?<\/h2>\n
So what do you need to do?<\/h2>\n
Get your strategy in place:<\/h2>\n
1. Define <\/span>how <\/span>you opt contacts in<\/span><\/h3>\n
2. Make sure you can prove the above<\/span><\/h3>\n
3. <\/span>Strategise<\/span> ways to get your existing data up to <\/span>scratch<\/span><\/h3>\n